Information Security Principles

  1. Risk Management in Information Security
    1. Risk Management Fundamentals
      1. Risk Management Concepts
        1. Risk Management Frameworks
          1. Risk Management Lifecycle
            1. Organizational Risk Context
            2. Risk Identification Process
              1. Asset Identification
                1. Asset Inventory Methods
                  1. Asset Classification
                    1. Asset Valuation
                    2. Threat Identification
                      1. Threat Intelligence
                        1. Threat Modeling
                          1. Threat Landscape Analysis
                          2. Vulnerability Identification
                            1. Vulnerability Assessment Methods
                              1. Vulnerability Scanning
                                1. Penetration Testing
                                  1. Security Audits
                                2. Risk Analysis and Assessment
                                  1. Risk Assessment Methodologies
                                    1. Qualitative Risk Analysis
                                      1. Risk Matrix Approach
                                        1. Subjective Risk Scoring
                                          1. Expert Judgment
                                            1. Scenario Analysis
                                            2. Quantitative Risk Analysis
                                              1. Asset Valuation Methods
                                                1. Probability Assessment
                                                  1. Impact Calculation
                                                    1. Annualized Loss Expectancy
                                                      1. Return on Security Investment
                                                      2. Risk Assessment Tools
                                                        1. Risk Assessment Documentation
                                                        2. Risk Treatment Strategies
                                                          1. Risk Treatment Options
                                                            1. Risk Mitigation
                                                              1. Control Implementation
                                                                1. Vulnerability Remediation
                                                                  1. Security Improvements
                                                                  2. Risk Acceptance
                                                                    1. Acceptable Risk Levels
                                                                      1. Risk Acceptance Criteria
                                                                        1. Documentation Requirements
                                                                        2. Risk Avoidance
                                                                          1. Risk Source Elimination
                                                                            1. Activity Discontinuation
                                                                              1. Alternative Approaches
                                                                              2. Risk Transfer
                                                                                1. Cyber Insurance
                                                                                  1. Outsourcing Arrangements
                                                                                    1. Contractual Risk Transfer
                                                                                  2. Risk Monitoring and Review
                                                                                    1. Continuous Risk Monitoring
                                                                                      1. Risk Indicator Tracking
                                                                                        1. Periodic Risk Reviews
                                                                                          1. Risk Communication
                                                                                            1. Risk Reporting
                                                                                            2. Risk Relationships
                                                                                              1. Threat-Vulnerability-Risk Equation
                                                                                                1. Risk Interdependencies
                                                                                                  1. Cascading Risk Effects
                                                                                                    1. Risk Aggregation

                                                                                                  Previous

                                                                                                  5. Security Design Principles

                                                                                                  Go to top

                                                                                                  Next

                                                                                                  7. Security Policies and Governance